MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 ee3c8074586e7ff5f5bce12b57a53bf69ff7887b771c66bb07b7570746df8973. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


lgoogLoader


Vendor detections: 15


Intelligence 15 IOCs YARA File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: ee3c8074586e7ff5f5bce12b57a53bf69ff7887b771c66bb07b7570746df8973
SHA3-384 hash: 5d18be49a2a68a2a3d5c767c71b56bdef8b15265dbfb99704af7e76649d22df674ec1bce9f0a070fcc9cc806846ff91a
SHA1 hash: b171e41176131e16d66171e4ef2011cc219dded4
MD5 hash: 0a60793c3b8652873b192cb684d06a3c
humanhash: nevada-romeo-crazy-march
File name:file
Download: download sample
Signature lgoogLoader
Create hunting rule
File size:1'311'648 bytes
First seen:2022-11-12 21:42:33 UTC
Last seen:2022-11-13 14:03:06 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash 9e097ad6dfe92315f2dada8dd88ba8b9 (2 x lgoogLoader, 1 x ArkeiStealer)
ssdeep 24576:RpQJlzmIqdpiC2mAV0SStLyapSgdEh82yiRpucAIKZKQca55HfbFX:RpQJlCxdomJftLz/defu5/h
Threatray 15 similar samples on MalwareBazaar
TLSH T15355E105202DCAD5E9C942BE0C01A736EC795637D7414BC323684672F9AA860E9F6FE7
TrID 32.2% (.EXE) Win64 Executable (generic) (10523/12/4)
20.1% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
15.4% (.EXE) Win16 NE executable (generic) (5038/12/1)
13.7% (.EXE) Win32 Executable (generic) (4505/5/1)
6.2% (.EXE) OS/2 Executable (generic) (2029/13)
File icon (PE):PE icon
dhash icon f0cc92f2b296ccf0 (1 x lgoogLoader)
Reporter andretavare5
Tags:exe LgoogLoader signed

Code Signing Certificate

Organisation:synthesis.com
Issuer:R3
Algorithm:sha256WithRSAEncryption
Valid from:2022-09-29T18:13:49Z
Valid to:2022-12-28T18:13:48Z
Serial number: 03e4cc02542459b73e5f191e4187d42b149c
Intelligence: 5 malware samples on MalwareBazaar are signed with this code signing certificate
Thumbprint Algorithm:SHA256
Thumbprint: f62db596fc4ceb301396af11bcff94eb761aa6c8a9535fdbb7966c7dec77c9ae
Source:This information was brought to you by ReversingLabs A1000 Malware Analysis Platform


Avatar
andretavare5
Sample downloaded from https://myfileexe.s3.ap-northeast-3.amazonaws.com/wNVQxhAtT9Mx.exe

Intelligence

File Origin
# of uploads :
31
# of downloads :
233
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
file
Verdict:
Malicious activity
Analysis date:
2022-11-12 21:43:50 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/8bba1be4-0f82-4b78-bf41-ebb9014cb458

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/333039/
Detection(s):
SecuriteInfo.com.HEUR.Trojan-Downloader.Win32.LgoogLoader.gen.28365.32032.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a window
Launching a process
DNS request
Unauthorized injection to a system process
Result
Malware family:
n/a
Score:
  8/10
Tags:
n/a
Link:
https://dragonfly.certego.net/analysis/51787/overview
Behaviour
MalwareBazaar
SystemUptime
MeasuringTime
EvasionGetTickCount
EvasionQueryPerformanceCounter
CheckCmdLine
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
greyware overlay packed
Link:
https://www.filescan.io/uploads/637013655ae98d577068eab6/reports/7dedb920-f628-48c4-a85e-c5012c3d5c98/overview
Result
Verdict:
SUSPICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
NetWalker Ransomware
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/fa13507b-84be-41f9-b293-c10e6f49935e
Result
Threat name:
lgoogLoader
Create hunting rule
Detection:
malicious
Classification:
troj.evad
Score:
84 / 100
Link:
https://www.joesandbox.com/analysis/1111995
Signature
Allocates memory in foreign processes
Contain functionality to detect virtual machines
Contains functionality to infect the boot sector
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Multi AV Scanner detection for submitted file
Writes to foreign memory regions
Yara detected lgoogLoader
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/ee3c8074586e7ff5f5bce12b57a53bf69ff7887b771c66bb07b7570746df8973/
Threat name:
Win32.Downloader.LgoogLoader
Create hunting rule
Status:
Malicious
First seen:
2022-11-12 20:56:05 UTC
File Type:
PE (Exe)
Extracted files:
6
AV detection:
10 of 25 (40.00%)
Threat level:
  3/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=5y6ia5cynz77l5n44evvpjj362p7pcd3o4ognoyhw5lqorw7rfzq._file
Verdict:
malicious
Similar samples:
303bd4a9a4f522900dcb9af3030f9683b64cb904e12e75ed06723c43215ef438
lgoogLoader
322f8b985672fe452211e1299a29037be69a9b467e8a8cdcad02afd0835e1dee
lgoogLoader
32e8bb7e05049dcc6ffad8ff029468246734dd8adb01af52a55ddc1488b397c3
lgoogLoader
515780fa8ff85a48d8c2e2d1f3d72d42fb22ab8d08cf7845b92a53ffdf60cfe6
lgoogLoader
7b9c1aa81aef60c0b403ff3859fc4c6be0b48fb56e1a4456f42ed0da84941993
lgoogLoader
89e38e3faf20476d7e207d39fccffbe8c09b370f1fdbeca0d70caa0326077503
lgoogLoader
e1c911c9ca01ebd5d0293caf5662277d251276dfaf1dcdb3dc581718ad319330
lgoogLoader
fea97bcd0bcd24fae553aa9152a410e3e6064edbd8011c3b2d9fcee40cc430f8
lgoogLoader
+ 5 additional samples on MalwareBazaar
Result
Malware family:
lgoogloader
Create hunting rule
Score:
  10/10
Tags:
family:lgoogloader downloader
Link:
https://tria.ge/reports/221112-1kv8lscg4x/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Detects LgoogLoader payload
LgoogLoader
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/85c169a7-5602-4534-8d57-12710cdc9f9b
Unpacked files
SH256 hash:
0b67e1d85981ddc82f789bf6d5917e0d23d255ef4067066bb29235e394bfead7
MD5 hash:
729d6e3c7eed4d6f476e870c862db6ae
SHA1 hash:
71f971386c6e6d47ffdf76f03a649df64e80b00c
Link:
https://www.unpac.me/results/99c484ed-d350-4946-b235-0f3baf131b2e/
SH256 hash:
785ed14e72934e8c8be4407040da466f8603ec69460392ab2a3ca6472d1fcf11
MD5 hash:
29ab88da7b9368257f6ae95cfbe902e8
SHA1 hash:
1e68c48dd2240d61052d9defbd363dc25eef4ae5
Link:
https://www.unpac.me/results/99c484ed-d350-4946-b235-0f3baf131b2e/
SH256 hash:
ee3c8074586e7ff5f5bce12b57a53bf69ff7887b771c66bb07b7570746df8973
MD5 hash:
0a60793c3b8652873b192cb684d06a3c
SHA1 hash:
b171e41176131e16d66171e4ef2011cc219dded4
Link:
https://www.unpac.me/results/99c484ed-d350-4946-b235-0f3baf131b2e/
Malware family:
SmokeLoader
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/ee3c8074586e/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/ee3c8074586e7ff5f5bce12b57a53bf69ff7887b771c66bb07b7570746df8973

File information

The table below shows additional information about this malware sample such as delivery method and external references.

  
Dropped by
PrivateLoader
  
Delivery method
Distributed via drive-by
Cape
Cape
https://www.capesandbox.com/analysis/333039/
  
URLhaus
https://urlhaus.abuse.ch/url/2409389/

Comments